"Major Retailer's" Data Breach Results In Wave Of Credit Card Fraud?

By consumerist.comJanuary 15, 2008

Anecdotal evidence suggests that a recently reported data breach by an undisclosed “major retailer” has resulted in a jump in consumers having their debit cards forcibly reissued, or calls from their bank to verify their recent purchase history. The problems seem to have started just around Christmas time and have continued into mid-January.

The thefts cut across all types of credit cards, but one of the common threads is that the cards are being used to purchase physical products in-store. This is a contrast to the big credit card reissue last year when stolen debit cards were being used to make fraudulent ATM withdrawals. Which retailer? Who’s behind it? Nobody knows and we won’t find out for some time, not until the cops catch the robbers. Until then, here’s all the people on our site talking about the recent seeming surge of fraudulent activity..

ROBDEW2: “I had a very similar thing happen to my BofA account two weeks ago. It still continued AFTER the card was canceled. I left BofA because of this. It was the first time I ever felt my money was not safe in the hands of a bank. “

CONNETICUTMRS: “nteresting, this just happened to me as well. Except with another bank (People’s) and there was a Sprint Charge (Reston, VA which I think is where their bills go), Direct TV and Cablevision. All services that I don’t use. They are currently investigating but I did get a provisional credit. I find it totally baffling how this can happen while I have my card in my possession. I hope to hear more comments on this, especially since I’m experiencing it now. “

DIESEL1: “This is scary, the same thing actually happened to me on 1/10/08. Bank of America alerted me that someone swiped a physical card to make purchases in states I’ve never been to with my BOFA check card. What scares me the most is that I live ten miles from Reston Virginia. I think something is amiss at Bank of America and they arent telling everyone the full story.”

ED: “Over Christmas break I was back home with my parents. They asked me to buy them an ink cartridge while I was out, so I picked one up at Office Depot with my BoA credit card (I almost never use my debit card anymore thanks to the information you guys have spread about customer protection with credit cards). Four days later, BoA calls about some suspicious charges in two NJ Office Depots (not the one I visited). Obviously the charges weren’t me, but the BoA lady told me that the card was physically swiped for the fraudulent charges. When I read that fact in your post, I thought that maybe something bigger is happening; scammer creating fake cards or something? I don’t know, but I thought I’d let you know.”

Amanda reports that a ton of people on her neighborhood message board say they’ve had their cards replaced recently, including her family. “Citibank contacted my husband and told him that they would be re-issuing him a new account number because a “major merchant” had notified authorities that its secure data had been compromised. They would not release the name of the merchant, instead saying that it was “the kind of thing we would probably hear about in the news,” she writes. Then her own American Express card was used in Flordia and the same thing happened to a neighbor down the hall.

ECWIS: “This happened to my Chase Freedom card just a week or two ago. They said someone attempted to use it at Macy’s and Bed Bath and Beyond for around $1,000 worth of charges. The weird thing was that I rarely use the card and I still had it in my possession…”

VMXEO: “I don’t have a Chase card, however, my Citibank debit card was hit with several fraudulent charges several weeks ago. Many of my friends and co-workers (I lost count after 20) have also had their Citibak and Chase debit cards and credit cards all compromised within the last several months. The charges seem to come and go in waves, the first round being used to purchase items at drug stores in Texas, and the recent round was gas in Kissamee Florida. The fraud rep from my bank inferred there was a breach at a credit processor somewhere, but I couldn’t get any more details than that. The day I went to pick up my replacement card from the bank, there was a whole stack of overnighted envelopes with replacement cards waiting at the desk. (and it was the last working day before christmas, of course). I’m still waiting to get my money back from the bank :(“

MRBILL: “My Chase Visa got compromised a month or two ago; someone bought $250 worth of gas in Louisiana and then tried to use it at a Wal-Mart next door to the gas station.”

SCHWARTZ: “Same thing happened to both myself and my sister (I live in Louisiana, she lives in Georgia) with our debit cards on Monday. Talked to a few other people with Chase and about half of them have had the same thing happen.”

JDH2000: “I have an Amazon.com Visa through Chase and got a call today (1/2/08). I didn’t really pay attention to the number they left on my answering machine. Instead, I called the number on the back of the card and was automatically transferred to their fraud prevention dept. I verified three recent charges, all of which were legit, and all of which were less than $50 each. They basically said, “thanks” and that was it.

very strange . . . .”

FELIXGOLDEN: “Just got a call from Chase within the last hour – same situation. They verified the last few transactions, though nothing was out of the ordinary. The rep told me that even though there were no fraudulent transactions, they had information that my card number was compromised and were canceling it and issuing a new one.

Someone big must have had a security breakdown. “

HERSELF_NYC: “I’m going through the same thing.
Chase canceled my card right before Xmas and sent me a new one, and then called me two days later to verify charges, and then called me again today. In fact, I sit on hold with them as I type this.

SOMETHING odd is going on.”

YOUBASTID: “I’m not sure which I have – it used to be a “double platinum” but when that one expired they sent me one that was just branded “Chase.” I did get a call from the fraud dept last week, but I’m assuming it’s because I hadn’t used the card in a while and all of a sudden charged about 500 bucks to it.”

Comments

Edit Your Comment

I got a call from one of my Mastercard issuers about a week ago stating someone tried to fraudulently use my card or card number for two purchases over $2000 in Ireland. Luckily the issuer did not allow the card to go through.

Timely – I got a notice yesterday from my (mid-atlantic, state employees’) credit union yesterday that my Visa check card was going to be reissued due to a security breach at a merchant location. This card has never been used for an online transaction, so I have to guess it’s someone like Walmart, Home Depot, etc with national reach.

Weel, since were on the topic. I went to use my debit card (Visa) to pay an electricity bill on 11/27/2007 and my card was declined. Called the bank to ask about the promblem, and the customer service lady says “Oh, there was suspicious activity on your account, someone used it in Riverside,Ca , so we cancelled your card. Might i add i currently live in Houston, TX but frequent Louisiana often. So i say, “Wow, thats scarry, what type of purchase was it, and where at? Shouldn’t i have been ntified about this?” And she told me it was 2 transactions at a K-Mart, one for $100 and one for $200. And then another at a Dept store that i cant recall as of now that was roughly $112. So she said someone physically used my debit card in the store to make these purchase. Luckaly it wasnt an issue to get my money back. But still…

#1: It’s down right scary.

#2: Why didn’t they try and contact me and inform me that there was suspicious activity?

Consumerist homework project: Have just 10-20 of these people send you their last three statements, with all personal info blacked out, and you’re very likely to figure out which retailer is the culprit, whichever one they all have in common. It would help especially if you get a few statements from cards that were only used a few times.

I want to know the retailer too. I agree with Punkwawka, get all these people together and ask them where they used their card in mid December–even those who have not had any fraud on their card (yet) but who are getting calls. There’s got to be a clear culprit.

Btw, I just got a new Chase Amazon card and while there’s been no fraud, when I went to register my online account, it already had a phone number and an email account that I do not recognize at all. I let them know them know that the contact info they had for me was incorrect but I don’t know if it was a mistake or some kind of attempted fraud.

From what everyone is saying it involves multiple banks, both credit & debit cards and also smaller banks.

People live in the east coast, southeast were impacted at least from the quotes posted here.

Cards are being used all over the place but for some odd purchases. Gas, Walmart, Kmart, eight hundred dollars in running shoes and overseas.

My guess is either a national retailer that everyone of these people has used since maybe November of last year. Or a credit card processor had a breach. There is also still the possibility of fraud or a breach at one of these third party places like Choicepoint. They were involved in the TJ Maxx breach.

Someone should start a thread somewhere for all of these people to compare what national chains all of them have shopped at in the last 3 months. It would be easy to narrow down if it indeed was a retailer.

I had BoA call me about 2-3 weeks ago with the same thing, stating unusual activity on my card and froze it. Thankfully though, there was no wrong doing. The person i spoke with stated something about Target having problems and wanted to make sure I had my card with me and then proceded to verify my purchases. I don’t know if thats the “major retail establishment” or not thats having problems, but thought i’d include that.

It actually makes me want to go check on all my online accounts right at this moment.

Notice also how the fraud amounts (for the most part) are in the $100-$300 purchase range–low enough not to send out alerts. I placed on my cards to alert me via email of any purchases over $500–maybe also low enough not to alert the credit cards/banks. Might have to lower that amount.

I’ve taken to using the “single use” virtual card numbers my credit card company offers. Any time I use my credit card on the phone or online I quickly generate a single use credit card number. Not only are the numbers single use, but the expiry date is always one month from the date of purchase. I know that both Citibank and Discover offer this service. Don’t know about other issuers.

@missbehave: Your bank or credit card institution serves you by crediting back your funds and re-issuing new cards where necessary. They do “not” serve the merchant per say. That’s where Visa and Mastercard are heavily involved when this occurs. It’s Visa/MC’s “merchant”, or processing house contracted by that merchant, that is suspect. And until Visa/MC identifies the breach (who, what, where, when) you simply do not have the right to know.

This happened to my girlfriend last year. 2 purchases to walmart for a total of 1600 dollars. BB&T called and notified her of the charges – and subsequently credited her account for the fraudulent amount. I believe one purchase was in Canada, the other in GA. Both cases were a physical card…

Pretty scary – but don’t stores have cameras above registers? If so.. cant they just say ” what time did customer w/ card number 123456789 buy this stuff.” and rewind the tape back to see who used the card? i mean, that… makes sense, right?

As for in store purchases- evidently card cloning is pretty easy (ref. white cards- mag strip only versions w/o printing), alot of stores have self check outs, the thieves know about the $400-$500 report threshold (Walmarts in Miami FL Dade county area apparently got burned for millions in $400 gift cards related to the TJX breach).

I do find it interesting that the retailer is not identified. However, they could have sat on the breach info for a couple of months, to be able try and disguise the breached store. Plus the store level users are just mules who purchased the cards from the real crew who pulled down the cards and is making the clones…

@zimzombie: I’m wondering if there’s a fraud ring involving waiters/waitresses using skimmers. A bunch of folks got busted for that a year or two ago in Maryland, and considering a lot of the cases are on the east coast…

I had my identity stolen several years ago. The local media even contacted me to do a story about it since it was such a growing crime, but they never followed through with the story. Anyway, I remember that most of the charges were sub-$300. The police said that $300 was about the limit where a retailer would generally just write off a fraudulent charge, and the criminals were well aware of this. Anything over that, the retailer would likely prosecute in the event the perpetrator was caught. I guess they figure anything below $300 just isn’t worth their time to pursue. It sounded strange to me back then, but this whole story is giving me flashbacks. I’m going to check my Chase Amazon account right now to make sure everything looks legit.

I wonder why my CC company have never flagged my card as having fraudulent purchases. I mainly use cash but I would often just use my card out of the blue. Like no activity for a couple of months, then several thousand dollars at a Lowe’s or a vacation package. I also just randomly use the card when I’m out of state.

Either my card company sucks or there is a science to it and it’s way beyond my understand.

I got a call late New Year’s Eve from someone claiming to be my bank, Huntington, noting suspicious activity on my debit card. They wanted my SSN or account number to verify who they were talking to. The subject of this call already had alarms going off in my head so I declined. The phone rep requested that I call the customer service number on the back of my card.

Before calling, I checked my account online and sure enough, there were four charges in Brooklyn, NY (not where I live) for a total of $747.21. One was at Key Food and another was at Walmart.

In the few minutes it took me to call the bank, they had already turned off my card. I had to stop by the local branch to dispute the charges and order a new card. It only took 6 days to get the money back.

I used my debit card for online purchases and B&M stores so I can’t help nail down which retailer might be leaking.

Had a similar issue here. Credit card from a small credit union charged for Comcast, Sprint, TMobile and Progressive expenses. I am not a customer at any but the first, and Comcast had no record of the charge. All charges were in varying amounts ranging from 90-350 dollars. Canceled my card immediately. I live in the DC metropolitan area.

Why, oh why, does the US not use Chip and Pin protection you find in European Debit/Credit cards?? The chip on your card holds all the info, and you have to enter a 4-digit PIN to complete any transaction. The only risk you have is of someone witnessing your pin being entered, and I have NEVER swiped my card using the magnetic strip. It just makes more sense. To me, an ex-pat, that is.

@gingerCE: I know some people are against asking for ID when using credit cards–but it doesn’t hurt and could help–so why not do it?

Because the Visa/MC merchant rules “to the merchant” forbid/restrict it.

So, basically the consumer (financial fraud all the way to possible identity theft), the merchant (out the merchandise without recovery), and your bank (re-issue the cards and loss of reputation even though its NOT the banks fault) is screwed in a situation like this, and Visa/MC are in the clear and play “the cop” (they are the weak link, IMHO, but they hold all the cards, pun intended).

Granted, some merch or a contractor processor screwed up, but Visa/MC sets or inhibits the policies that may thwart a degree of fraud (i.e. no ID can be used to verify the card). Visa/MC in the long run is saying, ANY card is good until the “number sequence of that card” as owned by the card-holder, calls it in as fraudulently used.

Trust me, the organized gangs that do this e-theft BS are very, very, very good.

Got my Citibank card canned yesterday. No fraudlent charges from what I can tell, but the customer service rep said that a merchant had had a theft, but wouldn’t tell me who since it was still “under investigation.”

The only national, physical retail stor eon my statement for that time period is Target.

Someone used my credit card to purchase a computer from Dell on January first. Luckily I caught it before it was out of the temporary authorization stage, so they didn’t get their ill gotten merchandise.

This happened to my husband a few weeks ago. Wells Fargo. We came home after a day of shopping (using the card) to find out that someone had swiped a physical card for $300+ down in Mexico. WF figured that we couldn’t be in two places at once so they called to verify where were were.

This also happened to my sister-in-law in December. Someone using a physical card on the east coast while they’re in the midwest.

Were’ all scratching our heads where they got the numbers for the cards. I’ve been checking my credit cards and debit card almost daily to make sure they’re okay.

I started noticing gas charges on my bank account in odd amounts. I used First National of Texas, and just disabled the account… but it started right after Christmas as well. I’ve never banked with Chase, Citibank or BofA, but I do use my debit card primarily because of the Visa protection.

I also have a Chase Amazon visa for a few years now, i use it exclusively for online Amazon purchases (no retail stores, no resitaurants, no other online purchases) and never had any problems/unauthorized charges on it.
So i guess it’s not Amazon:)

Gruffy: If they did, I wasn’t notified. I’ve had accounts with them for years. However, my debit card was recently compromised and used on porn sites, but Wells Fargo was relatively easy to deal with when fixing that. I never did figure out *where* it was compromised at.

Holy crap! I live in DC and this happened to me right before Christmas. I rarely use my check card from my small credit union to make purchases (as in only a dozen times a year for times I forget to make a cash run) …I use it almost exclusively for the ATM. Well, I got a call from the fraud division of the company that handles my credit union’s Visa check card to inform me that someone in VA was trying to makes two separate charges of $1500 to Sprint (together with Nextel!). The card was never out of my possession save for the two times I used it in December (Sodexho and a restaurant) I have had $1500 missing from my bank account since…Christmas Day! As it was the weekend and since no one could put a stop on the charge, one of the charges went through. I’ve been on the phone several times with countless people for a total of ten hours dealing with this. On the phone with my credit union, Sprint, the police department, the Visa card administrator…nightmare! To add to the creepiness of this, a relative on the other side of the country I recently spoke with told me that his check card was being used in Maryland (!?) for random purchases. Someone in the mid-Atlantic forging check cards/getting check card data? Whatever this is, my jaw just dropped into my bowl of emergency budget Ramen noodle soup while reading this post. I’m getting rid of my check card now. ATM card here I come. Cash or AmEx to pay for my purchases from now on.

Here’s a list of some of the likely merchants I used: Target, Paypal, Newegg, Sam’s Club, Game Stop, and various gas stations. Mostly in Southeast Florida and the New York metro area over the last few months.

This is all becoming really scary. We can’t trust retailers, banks, or the government with any of our information. What are we suppose to do? We can’t just crawl into the fetal position and wait. Then we have to do deal with the bad CDO loans that could eventually hit prime lenders and turn into the lending crisis and we also have the PPI rise the most since we were in inflationary hell. On second thought, maybe the fetal position might not be so bad after all.

Add my name to the roster. Last week my wife and I got a phone call from the bank where we have our joint accounts. Someone cloned my wife’s ATM card (I know it wasn’t mine because I have never used it) that draws on that account and withdrew $2000 from our savings account in the space of about two hours.

The good news is that we got our money back since it was insured, and we both got new ATM cards and PIN numbers. The bad news is obvious.

The thing is people they may not KNOW where the breach is yet. Could be an inside job, and it’s only the constant fraud reports that are bringing this to their attention. And honisty it’s unfortnetly simple to make clonned cards. There’s a whole black market for card data.

They get it, and sell it to the highest bidder, who then makes a copy of your card, and uses it.

On Dec 28th my wife was on the cell phone to her aunt when Discover called on the landline asking if she was in Wal-Mart charging $528.00. I checked her purse and her card was there. They immediately canceled the card. Apparently the person had charged gas at Chevron, $120.00 at Wal-Mart (earlier), $1.08 at McDonalds and was now going for the $528.00. I assumed that the shopping caused a hunger pang and the person using the card stopped by the in-store McDonalds for a quick pickup. (Later interview with Discover showed that it was the in-store McDonalds.)

Not sure if Wal-Mart caught it or Discover did. It was surprising that it was my wife’s card since I use my Discover card way more than she uses hers. Discover says the card could have been copied as much as a year before it was used.

I believe that anyone that needs a credit card to make a 99cent purchase at McDonalds should have to show multiple identifications and even then the card should taken away until their credit score has been reevaluated.